Servers
Image: Taylor Vick via Unsplash

Gozi malware hacker sentenced to three years in US prison

A Romanian hacker who ran the infrastructure behind several malware strains was sentenced to three years in U.S. federal prison on Monday.

Prosecutors said 39-year-old Mihai Ionut Paunescu helped run “bulletproof hosting” service PowerHost[.]ro, which helped cybercriminals distribute the Gozi Virus, the Zeus Trojan, the SpyEye Trojan, and the BlackEnergy malware. Cybercriminals used the malware strains to steal financial information, among other purposes.

Paunescu rented servers and IP addresses from legitimate internet providers and then gave the tools to cybercriminals — allowing them to stay anonymous and launch attacks.

Paunescu was also accused of enabling other cybercrimes through his platforms, like distributed denial-of-service (DDoS) attacks and spam campaigns. He was convicted on one charge of conspiracy to commit computer intrusion.

“Paunescu ran a ‘bulletproof’ hosting service that enabled cyber criminals throughout the world to spread malware that stole confidential financial information, crashed websites, and caused other harm,” said U.S. Attorney Damian Williams.

“By allowing cybercriminals to acquire online infrastructure for their unlawful activity without revealing their true identities, Paunescu’s bulletproof hosting service shielded his criminal customers from both law enforcement and cybersecurity professionals, while enriching himself.”

Paunescu, who goes by the moniker “Virus,” was detained in June 2021 at El Dorado International Airport in Bogotá, Colombia after he was initially arrested in December 2012 in Bucharest, Romania. U.S. officials charged him in January 2013 for his role in distributing the Gozi malware, which was pivotal for cybercriminals stealing e-banking credentials and siphoning funds from victim accounts, but they were unable to secure extradition from Romania.

The Record previously reported that while Paunescu helped a variety of cybercriminal operations he was particularly close to those using the Gozi malware.

According to U.S. officials, he was one of three people who helped spread the malware globally to more than one million computers between 2007 and 2013 and was allegedly an integral part in the second iteration of the Gozi malware.

More than 40,000 computers in the U.S. were infected by Gozi, including computers at the National Aeronautics and Space Administration, as well as others across Europe. U.S. officials said the malware allowed hackers to steal tens of millions of dollars from individuals, businesses and government entities due to its ability to evade antivirus software.

After being unable to extradite Paunescu from Romania after his 2012 arrest, U.S. prosecutors kept tabs on him until his arrest in Colombia. He was originally facing up to 65 years in prison but pleaded guilty to lesser charges on February 24.

Paunescu was given credit for serving one year and two months in Romanian and Colombian custody before being extradited to the U.S. As a condition of this sentence, he must forfeit $3.51 million and pay restitution of $18,945.

During his sentencing, U.S. District Judge Lorna G. Schofield said Paunescu facilitated the distribution of “some of the most serious malware circulating at the time” and “made considerable money from it.”

The other two operators behind Gozi are Russian national Nikita Kuzmin — who was arrested in California in 2013 and released in 2016 — and Deniss Calovskis, who was arrested in Latvia but never extradited due to a dispute over a potentially lengthy prison sentence.

The malware’s source code was leaked online in 2013 and now underpins several strains used to attack banks.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles
Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.